Managed XDR

vtdl_1742094888_23c_hpcl (Tinba, Ryuk) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1742094888_23c_hpcl
Тип файла
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Размер файла
130.5 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
e31e091eb828c6c653e35a8a3da674a5342d9666
SHA256
ca8a4e7ad9908821f6904b9919cc4526e9355e241097cab31c5c43342374a3f4
MD5
f38343a47e01ba172d7d99c9119c2df2

Вредоносное ПО

  • Tinba
  • Ryuk

Сигнатуры

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036 copies_utilities: Copies and runs system utility with different name
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1564.001 stealth_file: Creates hidden or system files
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1222 icacls: May obtain or change Discretionary access control lists (DACLs)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070 stealth_window: A process created a hidden window
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1518 locates_browser: Attempts to identify where browsers are installed

Collection

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Impact

T1486 ransomware_files: Ransomware indicators detected Ryuk (creates keys and the instruction on how to unlock the files)
T1486 ransomware_files_2: Ransomware(s) Ryuk indicators detected (creates keys and the instruction on how to unlock the files)

Other

yara_rules: Static rules
ryuk: Detected Ryuk ransomware
executes_dropped_exe: Executes dropped exe files
creates_in_windows: Creates files in the Windows directory
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object

Похожие отчёты